Let me suggest a philosophy that may help you with this. In doing so, I am understanding the issue to be, "People put information into my web site, I store this information in my data base and I regurgitate this information to other clients. I am definitely interested in security and I want to be sure that I do not receive a toxic script or other dangerous information and then accidentally poison someone's web browser. Also, I want to be able to store quote marks correctly."

The correct way to store the received information is to take the entire string of data from the external client and escape it with mysql_real_escape_string() or your favorite equivalent escape function. Then put it into the data base table.

The correct way to regurgitate the data is to read it from the data base table and pass it through htmlentities() before sending it to the client browser output stream.